{"id":41185778,"url":"https://github.com/openxpki/openxpki-docker","last_synced_at":"2026-01-22T20:16:26.457Z","repository":{"id":138121344,"uuid":"191316071","full_name":"openxpki/openxpki-docker","owner":"openxpki","description":"Dockerfile an supporting scripts to build and run OpenXPKI using Docker","archived":false,"fork":false,"pushed_at":"2025-08-27T19:10:31.000Z","size":48,"stargazers_count":106,"open_issues_count":10,"forks_count":40,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-08-28T04:05:19.575Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/openxpki.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-06-11T07:19:57.000Z","updated_at":"2025-08-27T19:10:35.000Z","dependencies_parsed_at":"2024-12-26T20:19:21.526Z","dependency_job_id":"ef92baa7-4560-4440-8687-41cb54674eb0","html_url":"https://github.com/openxpki/openxpki-docker","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/openxpki/openxpki-docker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openxpki%2Fopenxpki-docker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openxpki%2Fopenxpki-docker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openxpki%2Fopenxpki-docker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openxpki%2Fopenxpki-docker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/openxpki","download_url":"https://codeload.github.com/openxpki/openxpki-docker/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openxpki%2Fopenxpki-docker/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28670366,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-22T19:36:09.361Z","status":"ssl_error","status_checked_at":"2026-01-22T19:36:05.567Z","response_time":144,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-22T20:16:25.786Z","updated_at":"2026-01-22T20:16:26.451Z","avatar_url":"https://github.com/openxpki.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenXPKI with Docker\n\n\u003e [!CAUTION]\n\u003e This repository and the provided images are intended for demonstration and test purposes and should **not** be used in a production environment!\n\u003e The images and setup instructions always reflect the head of current development and do **not** address any backwards compatibility issues.\n\n## Prebuilt Images\n\nPrebuilt images for the official releases are provided by White Rabbit Security via a public Docker repository on DockerHub `whiterabbitsecurity/openxpki3`. Those are created from the `Dockerfile` found in this repository.\n\n## Container Layout\n\nThis repository contains a `docker-compose.yml` that spawns four containers\n\n- Database (based on mariadb:11)\n- OpenXPKI Server\n- OpenXPKI Client\n- OpenXPKI WebUI\n\n## Configuration\n\nBefore running compose you **MUST** place a configuration directory named `openxpki-config` in the current directory, the easiest way is to clone the branch `community` from the `openxpki-config` repository at github.\n\n```bash\n$ git clone https://github.com/openxpki/openxpki-config.git \\\n\t--single-branch --branch=community\n```\n\nFor additional details on configuration, have a look at the [QUICKSTART](https://github.com/openxpki/openxpki-config/blob/community/QUICKSTART.md) document in the configuration repository.\n\n### Mandatory Setup\n\n#### Authentication for CLI\n\nThe command line interface is used to setup the issuing certificates and requires an authentication key pair. Create a folder `./config` in the top level of your docker compose setup and generate the private key `client.key` in it. To make the key readable, change the permissions to 644 - as the folder inside the container is only accessible by the user this is not a security risk.\n\n```bash\n$ mkdir -p config\n$ openssl ecparam -name prime256v1 -genkey -noout -out config/client.key\n$ chmod 644 config/client.key\n```\n\nNow extract the public key and put the output to the file `openxpki-config/config.d/system/cli.yaml`.\n\n```bash\n$ openssl pkey -in config/client.key -pubout\n```\n\n#### Vault Secret\n\nTo protect confidential information inside the database, the system requires the definition of an encryption key. To generate a 32 byte value in hexadecimal encoding run `openssl  rand -hex 32` and put it into `openxpki-config/config.d/system/crypto.yaml`:\n\n```yaml\n# Secret group to be shared in all realms\nsecret:\n    ......\n    svault:\n        label: Secret group for datavault encryption\n        method: literal\n        value: \u003cyou must put your own 64 characters key here\u003e\n```\n\nPlease keep a copy of this value in a safe place! If you loose it, you will loose access to all encrypted data inside the system.\n\n### Recommended Setup\n\n#### Webserver Certificate\n\nThe webserver container maps the folder `openxpki-config/tls/` to `/etc/openxpki/tls/`, the related configuration items are:\n\n```ini\nSSLCertificateFile /etc/openxpki/tls/endentity/openxpki.crt\nSSLCertificateKeyFile /etc/openxpki/tls/private/openxpki.pem\nSSLCACertificatePath /etc/openxpki/tls/chain/\n```\n\nPlace certificate and key in the given places. The `chain` folder is used to validate incoming TLS Client request, it must in any case hold a single file as the apache does not start otherwise.\n\nIf you do not provide any files, dummy certificates will be created on first startup. Please keep in mind that TLS Client Authentication does not work with those dummy certificates, so also EST reenroll will not work!\n\n### Optional Setup\n\n#### Database Configuration\n\nThe example configuration uses the same passwords as those given in the compose file,\nif you change them, also update them in `config.d/system/database.yaml`.\n\n#### Session Storage Driver\n\nThe default uses (again) the filesystem to store the frontend sessions\nso there is nothing to do for a single node setup. Refer to the\n[QUICKSTART](https://github.com/openxpki/openxpki-config/blob/community/QUICKSTART.md) document\non how to setup a shared session storage using a database.\n\n## Bring It Up\n\nThe remainder of this guide is based on an unmodified configuration, if you want to run a customized configuration you might need to adapt the steps.\n\nThe old `docker-compose` (Version 1) is no longer supported, you need a recent version of `docker` with the `compose` plugin.\nIt should be sufficient to start the *web* container as this depends on all others so they will also be started:\n\n```bash\n$ docker compose up -d web\n\n[+] Running 4/4\n ✔ Container OpenXPKI_Database  Healthy                                    0.5s\n ✔ Container OpenXPKI_Server    Running                                    0.0s\n ✔ Container OpenXPKI_Client    Running                                    0.0s\n ✔ Container OpenXPKI_WebUI     Running                                    0.0s\n\n```\n\nIn case you have `make` installed you can also just run `make compose` which does all the above for you.\n\nThe system should now be up and running and you can access the WebUI via https://localhost:8443/webui/index/.\n\nYou can already have a look around but to issue certificates you need to generate and import your Root and Issuing CA certificates and load them into the system.\n\n## Issuing CA Setup\n\n### Production\n\nTo import your own keys and certificates follow the instructions given in the QUICKSTART tutorial. If you want to setup a two-tier hierarchy we recommend using our command line ca tool `clca` (https://github.com/openxpki/clca).\n\n### Testdrive\n\nThe default config repository comes with a bootstrap script, that generates a two-tier PKI hierarchy and prepares anything \"ready-to-go\".\n\n```bash\n$ docker compose exec -u pkiadm  server /bin/bash /etc/openxpki/contrib/sampleconfig.sh\n```\n\nIf you have `make` installed, just run `make sample-config` which will run the above command for you.\n\n## Troubleshooting\n\n### 500 Server Error / No WebUI\n\nMost likely your session storage driver setup is broken, check the logs of the client container.\n\n### Running on SELinux\n\nSome distros, e.g. CentOS/RHEL, have SELinux enabled by default which will likely prevent the docker container to read the mounted config volume. You can work around this by adding a `:z` to the volume path in the `docker-compose.yml` - please read https://github.com/moby/moby/issues/30934 **before** doing so as it can make your system unusable!\n\n### Running on Windows\n\nThe sample configuration uses a so called symlink to a template directory to create the \"democa\". Windows does not support symlinks and when you clone\nand mount the repository from a host running windows this configuration is missing. If you get `No workflow configuration found for current realm`\nwhen starting OpenXPKI try to replace the (broken) symlink in openxpki-config/config.d/realm by a full copy.\n\nAnother option is to activate symlink emulation in git, see https://github.com/git-for-windows/git/wiki/Symbolic-Links.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenxpki%2Fopenxpki-docker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenxpki%2Fopenxpki-docker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenxpki%2Fopenxpki-docker/lists"}